“Smart” appliances are devices that can connect to a network to communicate with other devices while performing a specific role (e.g. within a home or small office). Smart appliances have some specified basic computing processing intelligence but otherwise lack the capability of a full-fledged computing system such as a personal computer, phone, or tablet. Examples of smart appliances include televisions, refrigerators, dishwashers, washers, dryers, thermostats, digital video recorders, DVD players, and printers. By adding a certain level of intelligence to these devices, smart appliances can be made more effective or more convenient for the user. For example, a smart dishwasher might be able to communicate with a smartphone in the local network so the user can start the dishwasher from anywhere in a house.
Some smart appliances can communicate with devices outside of the local network. A smart appliance may receive software updates from a remote server to perform more effectively or it might receive information that it uses to perform more effectively. For example, a smart thermostat might receive information about the weather from an internet based weather service and use that information to adjust the heat settings of a house. The smart appliance might communicate with a specific server designated by the manufacturer, or it might communicate with third-party web servers via the internet.
However, smart appliances are vulnerable to security breaches that could embed code on the smart appliance that causes it to perform malicious behavior. For example, smart appliances infected with malicious code might be used to perform a Distributed Denial of Service (DDoS) attack on a remote web server or they could be used to send user information to unauthorized recipients. Due to limited access that users have to the functionality of smart appliances, it could be very difficult for a user to determine, on their own, whether a smart appliance is performing malicious behavior. Traditional approaches to protect networked devices from malicious code include anti-virus software installed on computers that monitors processes on the computer to determine if those processes might be exhibiting malicious behavior. Anti-virus software is typically installed on full-fledged computing systems such as personal computers, smartphones, and tablets. However, smart appliances do not have the computing intelligence or resources to support anti-virus software and often do not allow users to install additional software onto the smart appliance. Therefore, anti-virus software is ill-suited to protect smart appliances from being infected with malicious code. Moreover, anti-virus solutions continue to have difficulty in keeping up with new threats. For example, encryption is used to mask phishing, social engineering scams, malware command and control communication and malware delivery to and endpoint.
One potential solution is the intercept traffic sent to and from a smart appliance, and to analyze the traffic for malicious behavior using deep packet inspection (DPI), wherein a system analyzes the actual content or “payload” of a packet. However, DPI is resource intensive, requiring the system to store one or more packets sent from the smart appliance and to analyze those packets before sending them to their intended destination, which increases the latency of communication through the local network of the computing system. Additionally, if the traffic to or from the smart appliance is encrypted, DPI must decrypt the communication through a man-in-the-middle attack, which impairs the security of the data stored in the smart appliance's communication. Furthermore, performing a man-in-the-middle attack can be difficult. For example, unless a root certificate is installed on the smart appliance or the smart appliance ignores TLS or SSL errors, it is not possible to perform a man-in the-middle attack to perform DPI. Additionally, if the smart appliance uses “Certificate Pinning” or certificate validation techniques to ensure that the certificate provided by the remote server is valid, then it is not possible to use man-in-the-middle attacks and perform DPI to determine malicious traffic.